The IT Checklist for Employee Offboarding
Like it or not, this is the era of SaaS.
New SaaS applications are introduced every month, claiming to make work more productive and life more comfortable. They are easy to adopt and quick to put to work, so anyone can do it. We no longer have to wait for the expert IT guys to choose, evaluate and install the apps before giving us the green light to use them. We are independent and do what it takes to get the job done.
That’s all good unless you are in IT and have to handle the offboarding of employees leaving the company.
You then need to figure out what apps have been signed up and/or used by the employee, what access permissions you must revoke and what company data lies in those apps and should be deleted and returned to the safety of the corporate infrastructure.
That’s why we’ve put together this Employee Offboarding Checklist for IT. Your simple guide of the must-have steps that need to get done when employees move on.
Offboarding example checklist:
- Revoke system access from IdP and SSO
- Close employee SaaS accounts
- Terminate VPN and review any remote access methods
- Change/revoke shared account’s passwords
- Change system’s ownership
- Forward employee’s email address
- Recover company equipment and assets
- Reclaim employee licenses
- Update credit card payments
- Schedule account deletion for suspended accounts.
Download the full guide of the 10 critical steps for a smooth and easy employee offboarding process that will cover all of your bases.
1. Revoke system access from your IdP and SSO
Your Identity Provider (IdP) is usually the first port of call. This is your single source of truth and in many cases, the access point to many other internal and external systems.
Tip: Log in to your G-suite or Azure Active Directory admin console and suspend or disable the user.
If you have a Single Sign On (SSO) solution such as Okta, OneLogin or others, then disabling the user account on your SSO is one of your most important steps since the mission-critical systems are protected behind it.
Pro Tip: Do not reuse an old email address for new employees. For example, if email@example.com has left the company and then another John joins, do not give him the firstname.lastname@example.org address. This may allow him access to unrestricted resources.
2. Close employee SaaS accounts
According to Torii’s data, every employee has access to ~30 different SaaS accounts, which should all be closed for security, compliance, and cost-saving reasons.
- SaaS tools for which the employee has an active account
- SaaS tools the employee has used in the past
Make sure you also close the accounts of SaaS tools that are behind the SSO login. SaaS vendors are unaware of the fact that you’ve disabled the account access from the SSO or G-suite.
- Employee account data still lies with the 3rd party provider. What happens if the vendor gets hacked? Will they notify you of the data breach of an employee who is no longer with the company?
- Employee sessions might still be valid. While the employee may not be able to perform a new login, a long running session may leave the account exposed
- A vendor license is probably allocated to the employee and you may still be paying for it
- API access tokens might still be valid, leaving the backdoor open without you knowing about it. This is a bad security practice
Tip: Remember that revoking G-suite/SSO access is not enough. While it may block the user from accessing the system, it doesn’t delete their data on that tool and their account may still occupy a paid license seat.
3. Terminate VPN and review any remote access methods
It is common these days for employees to have remote access to internal or cloud services, whether they work from home or from a satellite office.
Make sure you revoke the employee’s access from all methods of logging into the VPN, remote desktop or any other remote access forms.
Tip: It is good practice to review your VPN and remote access logs once in a while, making sure nothing has fallen between the cracks.
4. Change/revoke shared account’s passwords
Having shared accounts is bad security practice, however, you may have some services where you’ve created a shared user for several employees. Whether that’s a database password, router access or a SaaS shared account, this is a backdoor left open.
In case the departing employee had access to a shared account, you should revoke all existing tokens and sessions and create a new password. This might also be a good time to revisit this shared account and create separate accounts where possible.
Tip: Shared accounts are bad security practice and should be avoided. They impose both security and compliance risks. Trying to trace whether an ex-employee has access to a shared account is a problem that you should not have got into in the first place.
5. Change systems ownership
The departing employee might have acted as the system owner of one or more tools. Make sure you have someone else assigned to the role and have the proper system permission to do so.
Tip: Keeping a list of system owners is good practice. You should have one go-to-person who owns the system. Additional roles such as a business owner and budget owners are also recommended.
6. Forward employee’s email address
To ensure business continuity, it is important to forward the emails of the departing employee to a colleague or a manager, at least temporarily. You should probably do this when you disable the employee’s G-suite/Office-365 email account.
It is good practice to create an automatic reply on behalf of the departing employee, letting the sender know his email will be addressed by a new employee.
This is especially important for employees who were the single point of contact with a customer or a supplier.
Tip: When thinking about single-point-of-contact employees, not only managers or sales executive emails should be forwarded. Remember that in today’s SaaS era, many individual contributors in various departments might have signed up for a SaaS tool. An important email from a vendor might be lost unless you had created a forward rule for the employees once they’d left.
7. Recover company equipment and assets
Stating the obvious, but without an updated and comprehensive company asset register, company property might get lost. Keeping updated inventory of company assets used by each employee is good practice, and checking these assets when the employee leaves is a must.
Recover all company property from the departing employee, including laptop, cell phone, peripheral devices, office keys, access cards, etc.
8. Reclaim employee licenses
Only a handful of SaaS applications like Slack offer a fair billing policy. Most SaaS tools actually hide the fact that you keep paying for inactive users, including employees
that are no longer with the company. Our observation is that the total cost of wasted licenses can sum up to ~30% of your total SaaS license cost.
To save costs, make sure you reclaim the SaaS licenses of departing employees. Pay attention to the different license models of the various providers. With many tools, you keep paying for disabled/suspended accounts as if they were active accounts. Usually only removing the account will actually stop the license cost charges.
9. Update credit card payments
Charging your credit card is very common with SaaS applications. Your finance department will revoke the corporate card held by a departing employee, but how would you know for which SaaS applications this card has been paying?
Keeping an up-to-date list that matches the credit cards and their SaaS apps billing records is critical if you would like to ensure business continuity. Once you have this list in place, you need to make sure you regularly update new cards and apps on the list. Failing to do so might result in the vendor blocking access to the service or limiting its functionality.
10. Schedule account deletion for suspended accounts
With many services such as Salesforce, G-suite, Dropbox, and others, you have the ability to suspend/disable the user before deleting it. This allows you to disable the employee’s access to a certain account without losing important corporate data.
While this is good practice, we tend to forget to review those accounts and delete them once the data has been transferred.
Make sure you install a good process to revisit suspended accounts after a fixed period of time to delete them.
A smooth employee exit is just as important as a great start, for the employee and for the company. Formalizing the offboarding process not only mitigates legal and security threats, it also ensures that employee’s departure causes minimal disruption. The proliferation of SaaS tools has made the employee’s offboarding task considerably more difficult.
Follow checklist to keep your operation smooth and the organization secure and compliant; Keep employee’s SaaS licenses under control to make sure money is not wasted.
But what's next? The truth is that offboarding is just one stage of the employee lifecycle. If you want to gain a better understanding of the way that your employees are using technology throughout their entire time at your organization, you should consider a SaaS Management Platform. From onboarding, to Shadow IT discovery, to license optimization, to offboarding, Automated SaaS Management empowers you to empower your whole organization.
Uri Nativ has over 19 years of software engineering experience as both an engineer and a hands-on manager. He founded the Klarna Engineering center in Tel-Aviv, holding the position of VP Engineering & Site Manager. Uri has broad experience building B2B enterprise products from his days at VMWare, EMC, nLayers, and Sanctum.